patient, family and doctor

HIPAA-Compliance and a Patient’s Family and Friends

How do clinicians keep loved ones informed while respecting HIPAA guidelines?

Although HIPAA is all about privacy, how practical is that when family is there, or on the phone? Can you say anything at all? How much can you say? What about emergency situations? What about minors?

The guiding rule about sharing protected health information (PHI) is that it’s the patient’s decision. Sometimes it’s easy to know what the patient wants, but not always. The easy one is when a patient has named a person in advance on their ‘consent to treatment’ form (or intake, or other initial paperwork). This is called an ‘Authorization.’ If they have not named the person, the HIPAA Privacy Rule requires that the patient have “the opportunity to agree or object” to sharing information.

Many situations are not as obvious, and in the rush of patient care, what should you do?

Common Dilemmas for HIPAA and Communicating with Loved Ones

Question: I’m talking with a patient and his wife walks in. May I continue our conversation?

Answer: If you are unsure whether the patient has named someone in advance – it could be a family member or a friend, ask the patient. You do NOT need to get written permission. They may agree verbally. Best practices require you to document that agreement in their patient record afterward.

Question: I’m treating a patient who is unconscious and unable to tell me – may I talk with her family?

Answer: If the patient is unable to tell you, use your experience and professional judgment to decide if it’s in the patient’s best interest to talk with them. Be sure to follow the “minimum necessary” rule – only discuss information relevant to that person’s involvement with the patient’s care. Later you should document this in the patient’s record.

Question: I have a 19-year-old patient and her mom would like to talk with me about her daughter’s headaches and migraines. Her mom who lives out of state has called me  but I do not have anything signed giving her permission to have this information.

Answer: You may talk to the mom if she is involved in your patient’s care, as long as you give your patient, the daughter, the opportunity to agree or object first. You do not need her written authorization but may call and get her verbal agreement. You should document that you obtained her permission, and keep it with her records.

Question: I’m caring for an elderly patient and her son has called me to ask about her medications. May I tell him?

Answer: This is similar to the question above. If your patient has told you it’s ok, that’s enough. You don’t need her written permission, but you should document it in your clinical notes that the patient told you it was ok to talk to him.

On the other hand, if the patient is unable to tell you (has dementia, is unconscious or otherwise incapacitated) use your experience and professional judgment, follow the minimum necessary rule, and document it.

Question: We are an EMS agency and just transported a patient to the hospital. If we get a phone call asking for the destination, may we tell them?

Answer: It depends. HIPAA permits you to share “minimum necessary” information with family and friends involved in the individual’s care. So…

If you can verify with a reasonable degree of certainty that the person calling is involved in their care, whether in the family, or even a neighbor who is a caregiver, you may tell them the hospital destination. Document in the record that you spoke to them. HIPAA allows this because it’s in the patient’s best interest for friends and family involved in their care to know. But a nosy neighbor, a random person, or the media… NO.

Question: My patient’s ex-husband has called our office to ask for information because she is covered by his health insurance. Is it ok to answer the ex-husband’s questions?

Answer: Not unless you have a valid Authorization from your patient naming her ex-husband  – if not, say “no” and tell him to call his health insurance provider.

Question: The parent of a college age (18+) student wants to know when her daughter was last in to see me? May I tell them?

Answer: Probably not. HIPAA defers to State law here, and in most states a ‘minor’ becomes an ‘adult’ at 18. So, without your patient’s agreement, you should not answer her question. But if an adult child has agreed – and they may agree verbally – you may continue to share information with the parent.

NOTE: How minors (under 18 in most states) are treated is complicated, especially when they become adolescents. The general rule is that parents and guardians are considered the “personal representative” of a minor child – they are “stand-ins” for the child and can make decisions about the child’s health care, and receive and ask for health information – but there are some exceptions.

Exceptions – Mental Health, Drug/Alcohol Treatment, Sexual Health Services

There are special situations where a parent is not treated as a minor child’s “personal representative”. For example, a State law might allow adolescents to obtain sexual health services or mental health treatment without parental consent. In those situations, the HIPAA Privacy Rule defers to State law. And with the opioid crisis there are Federal privacy laws that are stricter than HIPAA and may not permit parent involvement.

HIPAA Family and Friends Exception – Safety

A parent also may not be a personal representative if there are safety concerns. If you believe that the minor is a victim of abuse or neglect by the parent or may be endangered if you treat the parent as the personal representative, then you do not need to treat them as such. What to do? You can report it – see below.

Question: I strongly suspect that a patient is a victim of domestic abuse, although the patient has not confided in me. The abuse seems to be escalating, judging by the injuries I’ve seen. May I do anything?

Answer: Yes. If you believe the patient is a victim of abuse, you should alert a government agency authorized by law to receive such a report. You may obtain an adult patient’s agreement but are not required to in certain circumstances. You must inform the patient of your report unless you believe that informing the patient would increase the risk of further abuse.

Question: I am a therapist for someone who I believe poses a threat of harm to himself or to others – do I have any leeway about talking to law enforcement or the family without the patient’s permission?

Answer: Yes. The HIPAA Privacy Rule allows you to provide necessary information about a patient to law enforcement, family members, school administrators or others if you believe the patient presents a serious and imminent threat to himself or others, and that a warning could help prevent or lessen the threat. A letter to the nation’s health care providers in 2013 following mass school shootings described the scope of this permission under HIPAA.*

Question: The patient in our care is now deceased. May I provide information to his family?

Answer: Yes, as long as it does not go against any preference the patient expressed when they were alive. The “minimum necessary” rule applies – only disclose health information that is relevant to the person’s involvement in the deceased patient’s care or payment for care.

What the patient wants is central to your decisions about talking to family and friends:

  • Has the patient agreed?
  • Can you give the patient an “opportunity to agree or object”?
  • If not, use your professional judgment.
  • Follow the “minimum necessary” rule.
  • Make a note in the record.
  • A major exception is when the patient poses a “serious and imminent threat” to himself or others. Then alert the authorities.

*Letter describing the scope of permission to alert law enforcement or family of a patient’s threat of danger can be found here

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start Kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2022 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Service | Privacy Policy

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free